Reference

update ssl ocsp-response

On this page

Request an updated OCSP response.

Description Jump to heading

Available since

  • HAProxy 2.8
  • HAProxy Enterprise 2.8r1

When OCSP is enabled, the load balancer will automatically, and on a specified interval, fetch the OCSP response for each of its configured certificates. You can also request an immediate retrieval of this response using update ssl ocsp-response.

To display the last updated OCSP response, use the Runtime API commands show ssl ocsp-response or show ssl cert.

Examples Jump to heading

Follow these steps to update the OCSP response.

  1. Request an immediate update of the OCSP response for the certificate specified. Note that the certificate is specified by its path (in this example /etc/hapee-3.0/certs/cert.pem).

    nix
    echo -e "update ssl ocsp-response /etc/hapee-3.0/certs/cert.pem" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    nix
    echo -e "update ssl ocsp-response /etc/hapee-3.0/certs/cert.pem" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999

  2. The load balancer will retrieve the latest response. You can then show the response using show ssl ocsp-response, providing the Certificate ID key (use show ssl ocsp-response without providing a Certificate ID key to list all responses for all certificates, including their Certificate ID keys):

    nix
    echo -e "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    nix
    echo -e "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    output
    text
    OCSP Response Data:
      OCSP Response Status: successful (0x0)
      Response Type: Basic OCSP Response
      Version: 1 (0x0)
      Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com
      Produced At: May 27 15:43:38 2021 GMT
      Responses:
      Certificate ID:
        Hash Algorithm: sha1
        Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A
        Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A
        Serial Number: 100A
      Cert Status: good
      This Update: May 27 15:43:38 2021 GMT
      Next Update: Oct 12 15:43:38 2048 GMT
      [...]
    output
    text
    OCSP Response Data:
      OCSP Response Status: successful (0x0)
      Response Type: Basic OCSP Response
      Version: 1 (0x0)
      Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com
      Produced At: May 27 15:43:38 2021 GMT
      Responses:
      Certificate ID:
        Hash Algorithm: sha1
        Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A
        Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A
        Serial Number: 100A
      Cert Status: good
      This Update: May 27 15:43:38 2021 GMT
      Next Update: Oct 12 15:43:38 2048 GMT
      [...]

See also Jump to heading

Do you have any suggestions on how we can improve the content of this page?

Previous page trace Next page user
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences